The U.S. Federal Bureau of Investigation has something to be proud of: As of last month, it’s no longer possible for hackers to impersonate the agency with emails that appear to come from the FBI.
That’s a change from January, when we noted that FBI.gov — like most of the government domains we checked — was not protected by the gold standard in email authentication, DMARC enforcement. In fact, of the 10 .gov domains we analyzed, only one, SSA.gov, had a DMARC record that was configured correctly and set to enforcement (a policy of quarantine or reject).
Our January finding parallels the Online Trust Association’s 2017 Online Trust Audit, which assesses the security protections of a wide range of organizations. This year the OTA’s audit included email authentication as one of its criteria. The audit found that federal government sites are lagging behind business sites in DMARC implementation and enforcement rates.
The OTA’s chart shows DMARC adoption rates across various categories. The “FED” category refers to the top 100 U.S. Federal domains.
With a correctly configured DMARC record set to enforcement, a domain is fully protected from email impersonators. That’s because any mailbox that checks the DMARC status of inbound messages — including every major email provider, such as Google, AOL, Microsoft, and more, comprising 2.7 billion mailboxes in all — will reject messages that appear to come from the protected domain but haven’t actually been authorized by that domain.
Critically, DMARC requires that the From field in a message use the same domain that is being authenticated. With SPF or DKIM alone, you don’t have that guarantee, which leaves the door open for phishers to create messages that pass SPF or DKIM using a domain they control, while putting an unrelated, faked domain in the From field. DMARC shuts that door.
SSA.gov remains fully protected, and FBI.gov now joins the ranks of authenticated .gov domains.
The other eight, however, still lack DMARC records or else have records that have errors or lack an enforcement directive. That includes domains for the IRS (a frequent subject of impersonation attacks), the NSA, the CIA, and even the White House.
The White House, of course, was the target of its own impersonation attack recently. In that case the attacker, calling himself “Email Prankster” and publicizing his exploits on Twitter, was not making any attempt to spoof the From address in his emails, so DMARC would not have made any immediate difference. But if Whitehouse.gov did have email authentication enabled, it might have been easier to flag non-White House email addresses like those used by the prankster.
It’s clear the federal government still has a long way to go to protect its domains. That’s why we agree with Senator Ron Wyden that federal agencies should be required to implement DMARC with a policy of reject or quarantine.
Top photo: Not the FBI’s DMARC enforcement truck. Photo credit: James Duff/Flickr